CVE-2024-5213

Name of the Vulnerable Software and Affected Versions mintplex-labs/anything-llm versions up to and including 1.5.3

Description An issue was discovered where the password hash of a user is returned in the response after login ("POST /api/request-token") and after account creations ("POST /api/admin/users/new"). This exposure occurs because the entire User object, including the bcrypt password hash, is included in the response sent to the frontend. This practice could potentially lead to sensitive information exposure despite the use of bcrypt, a strong hashing algorithm. It is recommended not to expose any clues about passwords to the frontend.

Recommendations For versions up to and including 1.5.3, it is recommended to modify the response to exclude the User object's password hash, specifically the bcrypt hashed password, to prevent sensitive information exposure. As a temporary workaround, consider restricting access to the "POST /api/request-token" and "POST /api/admin/users/new" API endpoints until a patch is available. Avoid including the entire User object in the response to the frontend, and instead, only return necessary information.